web html 防盗链
一概念
1防盗链
在HTTP协议中,有一个表头字段叫referer,采用URL的格式来表示从哪儿链接到当前的网页或文件,通过referer,网站可以检测目标网页访问的来源网页。有了referer跟踪来源就好办了,这时就可以通过技术手段来进行处理,一旦检测到来源不是本站即进行阻止或者返回指定的页面。
2页面中的转义字符
在HTML中,定义转义字符串的原因有两个:第一个原因是像“<”和“>”这类符号已经用来表示HTML标签,因此就不能直接当作文本中的符号来使用。为了在HTML文档中使用这些符号,就需要定义它的转义字符串。
| 字符 | 转义字符 |
| " | " |
| & | & |
| < | < |
| > | > |
| 空格 | |
-------------------------------------------------------------------------------------------------------
2.1防盗链的实现
1.tld约束
<tag>
<name>referer</name>
<tag-class>com.tag.RefererTag</tag-class>
<body-content>empty</body-content>
<attribute>
<name>site</name>
<required>true</required>
</attribute>
<attribute>
<name>page</name>
<required>true</required>
</attribute>
</tag>
2.实现了简单Tag接口的自定义Tag处理类
package com.tag;
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.jsp.JspException;
import javax.servlet.jsp.PageContext;
import javax.servlet.jsp.SkipPageException;
import javax.servlet.jsp.tagext.SimpleTagSupport;
public class RefererTag extends SimpleTagSupport{
private String site;
private String page;
public void setSite(String site) {
this.site = site;
}
public void setPage(String page) {
this.page = page;
}
@Override
public void doTag() throws JspException, IOException {
PageContext context = (PageContext)this.getJspContext();
HttpServletRequest request = (HttpServletRequest)context.getRequest();
HttpServletResponse response = (HttpServletResponse)context.getResponse();
String referer = request.getHeader("referer");
String path = request.getContextPath();
if(referer==null||referer.startsWith(site)){
if(page.startsWith(path))
response.sendRedirect(page);
else if(page.startsWith("/"))
response.sendRedirect(path+page);
else
response.sendRedirect(path+"/"+page);
// throw new SkipPageException(); 不执行
// 执行则是jsp片段invoke
}
}
}
3. 页面引用
------------index.jsp-------------------referer.jsp-----------
4.结果页面跳转
-----------------------------------------------------------------------------------------------------------
2.2转义标签的实现
1.tld约束
<tag>
<name>htmlfilter</name>
<tag-class>com.tag.HtmlFilterTag</tag-class>
<body-content>scriptless</body-content>
<!-- <body-content>tagdependent</body-content> -->
</tag>
2.自定义Tag处理类(其中Filter方法来自)
apache_tomcat-6.0.39.webapps\examples\WEB-INF\classes.util包
package com.tag;
import java.io.IOException;
import java.io.StringWriter;
import javax.servlet.jsp.JspException;
import javax.servlet.jsp.tagext.JspFragment;
import javax.servlet.jsp.tagext.SimpleTagSupport;
public class HtmlFilterTag extends SimpleTagSupport{
@Override
public void doTag() throws JspException, IOException {
JspFragment jf = this.getJspBody();
StringWriter content = new StringWriter();
jf.invoke(content);
String _content = filter(content.getBuffer().toString());
this.getJspContext().getOut().write(_content);
}
public static String filter(String message) {
if (message == null)
return (null);
char content[] = new char[message.length()];
message.getChars(0, message.length(), content, 0);
StringBuffer result = new StringBuffer(content.length + 50);
for (int i = 0; i < content.length; i++) {
switch (content[i]) {
case '<':
result.append("<");
break;
case '>':
result.append(">");
break;
case '&':
result.append("&");
break;
case '"':
result.append(""");
break;
default:
result.append(content[i]);
}
}
return (result.toString());
}
}
3.页面引用
View Code4.结果展示
5.body-content类型介绍
http://www.cnblogs.com/foreverzd/p/3833252.html
